10 Years in Cyber Risk

The “10 Year Challenge” meme that made the rounds last month on Facebook and Instagram got us thinking about how things have changed in a decade in the world of cyber risk.

Looking back to the cyber risk landscape of 2009, it’s not a clear-cut narrative of change between then and now. In fact, it’s a bit like the people who shared their photos for the challenge: on the surface, much is new and different – yet certain more essential aspects remain unchanged.

First let’s look at the similarities. In a general sense, cyber risk was already well-known 10 years ago, at least in government, military, and tech, if not in the broader business community. That year, President Obama launched a White House cybersecurity office and focused a major speech on the subject. North Korea made headlines for alleged cyber attacks on South Korea. Twitter suffered its first high-profile distributed denial of service (DDoS) attack. Spear phishing was known as one of the top tactics for hackers. Many of these stories and topics wouldn’t be out of place if published today, with a few names and details changed.

But just as technology has driven rapid change in how we communicate and consume information on the Internet in the last 10 years, cyber risk has evolved and expanded. Here are three of the key ways that cyber risk has changed.

The scale of cyber risk has exploded

First, scale. In 2009, the iPhone was only two years old, and Android was in its infancy. The predominant access point for the Internet was the personal computer and web browser, and most businesses still hosted their data in on-premises servers.

Today, our smartphone apps, speaker systems, thermostats, cars, and even household appliances are increasingly Internet-connected and thus are potential vectors for attack. Next year it’s expected that there will be 20 billion IoT devices in use worldwide; in 2009 that number was under 1 billion.

Meanwhile, this trend toward increased connectivity has led to increasing loads of data being collected and stored by businesses, who in turn have dealt with the task of managing and storing that data by turning to cloud-based storage options. Now, not only are businesses holding onto an abundance of data, it’s also being stored in a way that increases the attack surface – scattered on third-party servers that are often accessible through the web.

On the basis of scale alone, cyber risk is a completely different conversation in 2019 than it was in 2009.

Cyber risk has gone mainstream

Next is awareness. For business leaders, the last 10 years have presented a series of wake up calls in the form of data breaches and ransomware attacks. Target and Home Depot in 2013 and 2014. Anthem, the major health insurer, in 2015. A slew of major businesses in 2017, including Equifax, Merck, Maersk, and more. All of a sudden, the cyber risk conversation spread from the realm of datacenters and nuclear facilities into the mainstream of businesses large and small — and their employees, personal computers, and customers.

A survey from Allianz of business leaders puts cyber risk at #2 on a list of business risks – up from 15th just five years ago.

The cyber risk conversation is now an insurance conversation

Finally, one that’s close to home for us at Corvus: insurance. While cyber insurance has been available in some form since the 1990’s, it has only become a common, well-known option for businesses much more recently. Once businesses came to grips with the scale of the digital assets they had to protect, and the business risks posed by high-profile cyber attacks, they naturally looked to their insurers for help. The industry has responded, and now there are a number of options for cyber insurance, both from traditional insurers and from startups like Corvus who work with carriers.

Aside from the fact that there are more options to insure cyber risk, there is also far more in the way of information and knowledge suffused throughout the insurance industry. As with other complex commercial insurance products, insurance brokers are the preferred channel for businesses to get informed about and acquire insurance. Wholesale brokers and some retail brokers are increasingly folding cyber into their standard set of commercial offerings, and developing institutional expertise in insuring cyber risk.

Part of extending knowledge about cyber risk is sharing data, something that is possible, and indeed welcomed, in cyber insurance today. This is a departure both from the cyber landscape of 2009, and from the traditional model of insurance. The digital landscape is constantly evolving — and with new types of threats, and new vulnerabilities, popping up constantly, predicting risk is hard. That’s why, for insurers, gathering as much new data as possible about cyber risks is critical; and why sharing that data with brokers, and in turn with policyholders, helps to prevent claims and improve the products that get put into the market. Sharing data has become a cornerstone of our approach at Corvus, and makes cyber insurance unique within the field of insurance.

The last 10 years have brought a massive changes to cyber risk, and the next 10 are sure to bring more yet. All of us in the cyber insurance field are working to ensure that in spite of its constant evolution, the cyber landscape becomes safer more predictable by the end of the next decade.